CVE-2026-34403

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.5

Description All WebSocket endpoints use a gorilla/websocket Upgrader with a configuration that unconditionally accepts all origins, enabling Cross-Site WebSocket Hijacking (CSWSH). This is exacerbated by authentication tokens being stored in browser cookies without HttpOnly or SameSite attributes. Consequently, a malicious webpage can establish authenticated WebSocket connections to the instance when a logged-in administrator visits the attacker-controlled page. This can lead to the theft of sensitive server information, reading of nginx log files, triggering of system operations such as binary upgrades, and potentially achieving Remote Code Execution via interactive terminal access if OTP is not enabled.

Affected endpoints include:

Recommendations Update to version 2.3.5.